Editor's Note: Inc. Magazine announced its pick for Company of the Year on Tuesday, November 29. It's Riot Games! Here, we spotlight Cylance, a contender for the title in 2016.
In 2011, cybersecurity researcher and entrepreneur Stuart McClure spent his last year working at McAfee, as the company's global chief technology officer, apologizing a lot. McClure said hackers were slipping into McAfee customer networks and each subsequent breach seemed worse than the last.
McClure would have to meet with each of the big McAfee corporate customers to explain why the software failed and at the end of each meeting someone would ask McClure the same question: "'What type of security software do you use on your machine to prevent cyber attacks?'" The customers would then wait, pens poised above a piece of paper to jot down the long list of layer after layer of high-end software that the global CTO of a multimillion-dollar security company would surely recommend. But McClure would have to tell them his dirty secret:
He didn't use any security software. Not even his employer's.
"I would tell them I only trust my brain and my hand, because there are no new ways to breach a network," says McClure of his former employer, which is now owned by Intel. "I would walk them through what I did each day to prevent attacks," he says. "I asked myself, 'Why can I prevent attacks on my computer with my behavior and we can't train a computer to do the same thing?'"
That was the seed for Cylance, the Irvine, California company co-founded in 2012 by McClure and McAfee's then-chief scientist, Ryan Permeh. Contrary to what most big security vendors tell customers, McClure explains, there are only a handful of ways a hacker can penetrate a company's systems. If you know your way around a system, you know the ways a hacker can get in and you know how to protect your machine.
Though Cylance has signed up high-profile customers like Toyota, Gap, WWE, Panasonic, and a long list of clients it cannot name, the biggest endorsement of its software, which uses both artificial intelligence and machine learning, came in 2016. The U.S. House of Representatives Committee on Oversight and Government Reform issued a report in which it detailed arguably the worst data breach perpetrated against the U.S. government and credited Cylance for finding and fixing the problem.
The widely cited report put Cylance on the map, for its part in successfully throttling a months-long data breach of the United States Office of Personnel Management. Before Cylance was hired to mitigate the hack, cyber crooks had swiped the sensitive personal information of 21.5 million Americans, both current and former federal government employees.
This year, Dell announced that it would include Cylance on the machines it sells to corporate customers.
Those accolades are forcing investors to take notice. Blackstone, Insight Venture Partners, Khosla Ventures, and others have flooded Cylance with $177 million--giving the company a valuation of $1.1 billion. This year, the company also landed the 26th spot on the Inc. 5000, which tracks the three-year revenue growth of the fastest-growing private companies in America. Cylance brought in $11.1 million in 2015 revenue, up 7,613 percent from 2012.
The key difference between Cylance and its competitors is that it moves to prevent hacks, rather than to simply detect them. Most legacy antivirus software is maintained by humans, says McClure. Researchers find a virus and tell a security company, an employee has to give it a signature and a name, and then an update is issued and sent to all the antivirus software users. This process, which is prone to human error, can take weeks, McClure explains.
Co-founder Ryan Permeh explains why Cylance's method works: "Bad guys change their hacking methods slowly over time. They are approaching glacial speeds. The snow and ice on top changes, so their tools appear new, but the glacier doesn't move that much." In other words, since there aren't many new ways to break in, you can plan around the known vulnerabilities. And rather than task a team of humans to watch a company 24 hours a day, seven days a week, it is possible to teach a machine to do the work.
"Our machine-learning model continues to go through iterative experiences to learn incrementally, like a human brain," says McClure. "The more data we feed it, the smarter it gets, the more aware it becomes, and the easier it is to recognize objects and names."
To be sure, this method of security is seen by many in the industry as a fool's errand, after companies from Adobe to Sony have been breached. As attacks become more plentiful--and bad actors breach the security of some of the world's biggest companies and governments--many security companies have turned to detection instead of prevention.
Even so, McClure says it is possible to prevent breaches. The entrepreneur cut his chops in the 1980s studying the Morris worm, the first autonomous virus. He also co-authored the seminal book on breaching networks, Hacking Exposed, and, with former partner George Kurtz sold his first security startup, Foundstone, another Inc. 500 company, to McAfee in 2004. Kurtz, who quit McAfee to start detection security company Crowdstrike, and McClure are now battling it out on either end of network security theory. Kurtz, in the detection camp, can also boast $1 billion valuation.
"There is no such thing as 100 percent security," says McClure. "There is always some way in. But now, as artificial intelligence and machine learning have improved, you can prevent hackers of today and tomorrow, because hackers use the same techniques."
Confidence has also been key to Cylance's success. Even before the company's software existed, Mark Hatfield, who was a partner at Fairhaven Capital at the time, says he remembers sitting down to dinner with McClure. The entrepreneur took a napkin and mapped out the whole company--the problem it would solve, how antivirus software doesn't work, how they would use machine learning to teach a mathematical model to recognize malware, and how in two years they'd have a product better than anything on the market. Hatfield was sold.
"There was no code. It had to be built, but his vision and his experience with what wasn't working at McAfee, and his ability to recruit smart people, which is key, was all there," says Hatfield. "The napkin said it all: McClure was able to break down a complex problem into something anyone could understand."
"McClure knew the problem better than anyone, and at the end of day, people follow his lead," says Jay Leek, managing director and the chief information security officer for Blackstone.
Today, the company is now protecting more than three million computer networks, Permeh says. In 2014, Cylance revealed that Iranian hackers had breached the networks of airports all over the world and were printing out security badges. McClure and Permeh add that after they discovered this breach, it reinforced their belief that preventing hacks was the right thing to focus on.
"Honestly, most hacks, most major breaches, are not that complicated," says Permeh. "What's more concerning is that there is a lot of malware out there on networks. At Cylance, we let machines do what machines do well, to sift through big data to find those patterns of maliciousness at scale and stop attacks before they start."